If some authority for whatever reason decides they want to monitor your traffic on a wired DSL connection, how would they do it besides exploiting your OS? What are the other ways assuming the OS is locked down against intrusion?

Ideas I have so far:

At the modem. Get a different modem

ISP server/records. Use a VPN? Do secure VPNs like AES 256 circumvent all possibility of monitoring traffic?

DNS records. Use different dns servers besides the ISP's.

Hardware based backdoor. Get a different computer.

Line is tapped physically at the junction box. Would a secure VPN protect your traffic in this case?

4 Answers
4

All of the wires and cables, most of which is totally out of your physical control, could be tapped. Read-only CAT-5 cables can easily be made, and work even for the most inept. I'm certain that the local loop, the circuit connecting your domicile to the phone company's Central Office, can be tapped at many, many locations. The technology to decode DMT (the most common Layer 2 DSL protocol) is unknown to me.

DSL usually uses PPOE to communicate over the local loop. That means that the phone company's end of the PPP connection would be a logical, easy place to tap all of the IP-level communication. This is totally out of your control, and even if your TCP or UDP level comm is encrypted, you'd be subject to traffic analysis.

If it is a physical tap somewhere along the connection, does a secure vpn (aes-256, camellia 256) shield you? If it's a hardware backdoor it will still have to dial out and could thus be found by monitoring packets no?
–
bigbroSep 27 '12 at 16:28

2

Ultimately, I don't know, but unless the VPN makes some effort to confuse traffic analysis, stuff can leak. See: crypto.com/papers/jbug-Usenix06-final.pdf The "jitterbug" outlined in that paper could be used by the backdoor to sneak info out.
–
Bruce EdigerSep 27 '12 at 16:43

Do secure VPNs like AES 256 circumvent all possibility of monitoring traffic?

Absolutely not.

What is to say the VPN is not complicit in this monitoring, either for domestic, or foreign, law enforcement? They may have the same legal requirement to provide wiretaps to law enforcement as any other ISP in their country.

Secondly, VPN, which is either IPv4-in-IPv4 (GRE) (optionally encrypted) packets, or SSL (OpenVPN/SSTP) like any encryption, requires you use or obtain a key locally. You have two threats to any such setup:

Attacks to obtain the key. Again, the VPN provider could hand law enforcement your session key, or this could be obtained from your PC, or;

MITM attacks. Depending on the type of VPN, how trust in the remote endpoint is verified etc, it may be possible to simply route you to a system that decrypts your data on the fly.

As Rory says, it depends how valuable you are as a target, but no, merely using VPN does not give you any guarantee of security.